Policy/ eu ai act · ai policy · regulation · ai governance

The EU AI Act Has an Identity Problem

A new paper argues the EU's AI rulebook can't answer a basic question: when is an updated AI system still the same system?

The EU's landmark AI law may have a structural flaw hiding in plain sight.

The EU Artificial Intelligence Act sets up a compliance regime built on three pillars: upfront conformity checks, ongoing market monitoring, and mandatory re-assessment when a system undergoes a "substantial modification." Researchers publishing on arXiv argue all three pillars assume regulators can answer a question the law never actually resolves — whether an AI system updated after deployment is legally the same system as the one that was certified. The paper introduces something called the function+ framework, which ties an AI system's identity to its intended function and a set of "trustworthiness" criteria, and proposes it as both an auditing lens and a synchronic identity test — meaning a tool for deciding when two systems at the same moment in time count as the same for regulatory purposes.

The gap matters because AI systems get updated constantly — weights get retrained, prompts get revised, deployment contexts shift. Without a clear identity criterion baked into the law, regulators and vendors are left guessing whether a change triggers re-assessment or not. That ambiguity is a compliance loophole that could be driven through with ease, and the paper warns that the AIA currently offloads the hard calls to sector-specific or harmonization instruments that don't yet exist.

The researchers stop short of calling the law unworkable, instead offering two concrete fixes: more precise reporting of a system's intended purpose, and standardized trustworthiness reporting that allows comparisons across time and deployments. Good luck getting that standardized before the first wave of enforcement.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →